2. Description of Prior Art
With advent of electronic commerce, or ecommerce, the internet has brought the world together as a global trading market. Consumer at any corner of the world can buy products or services from any merchant at other parts of the world, as long as the consumer can have access to the internet and the merchant has set up a web store front. The volume of this electronic online trading is apparently huge and its growth can be explosive. What usually takes place is that, when a consumer shop at a merchant's online store, after placing an order online, the consumer will also need to enter payment information online at the same time, which is normally done by filling out a payment form that requires payment card number and certain payment card supporting information.
When merchant received the order from the consumer with payment information, the merchant will then try to fulfill the order and send in payment request to a private payment card clearing network through a payment gateway. Once the merchant received the payment request response, that is payment authorization, from the payment gateway, the merchant will then deliver what the consumer ordered, and send in the request for payment capture.
This online transaction starts when the consumer entered the order with payment information, and completed when the merchant fulfilled the order and captured payment. A potential fraudulent online transaction occurs when the credit card, or payment card, that used to pay for the orders online was pirated, often from off line sources. Because of the wide spread, global reach that internet enables, the potential damages to the online trading due to pirated payment cards, compared to damages it can cause to offline trading, or the traditional, old style commerce, can be many times over.
With enabling internet technologies and cryptographics algorithms today, a number of online transaction systems were proposed or developed, with varying degrees of security measures against fraud.
SET, Secure Electronic Transaction, a widely recognized, highly secure protocol for ecommerce, was first proposed by VISA, MASTERCARD, and other financial institutions in 1997[1]. Its sophisticated technological requirement has not met with wide spread deployment. Its failure in wide spread deployment should not be regarded as low acceptance among ecommerce population with respect to the importance of electronic transaction security. Rather, people have opted for other electronic transaction models that are a lot easier for merchants to deploy and for consumers to use. That is, a user friendly, risk tolerate transaction model, which can operate without technological sophistication of the digital certificates. Set up and operate with digital certificates can be intimidating for technology novice consumers.
These popular electronic payment transaction models, also known to be of the class of online payment with SSL-security, though user friendly, are severely compromised that they are incapable of effectively dealing with pirated payment cards, which often came from offline sources. This shortcoming is particularly pronounced when online transaction takes place for immediate download of products or services from the merchant's web sites, where Address Verification System (AVS) is normally not applicable.
To address this shortcoming, many alternative approaches have been proposed. Notably, Bartoli et al., U.S. Pat. No. 6,047,268, Linehan, U.S. Pat. No. 6,327,578, and others. Although online billing and online payment are different in scope, Bartoli et al. presented an interesting billing process that is noteworthy. Bartoli et al. teach a billing system that will automatically authenticate the user using “cookie” file which includes explicit user account number and authentication data, bills the user directly and then settles payment with the merchant directly. Both user and merchant must register at the same billing system, that is, both user and merchant must set up direct financial relationship with the same billing system, including the credit line limit that the billing system gives to each user,in order to make this payment process work. Its advantage is that user does not need to install client software, except for a cookie file, and user can stay anonymous with respect to the merchant. But, as the number of users and merchants increase, and each registers at their own billing system, the number of registrations that a user or a merchant need to do to establish direct financial relationships with different billing systems in order to be able to carry out transactions among potential users and merchants will be overwhelming, it seems to try to replace the current payment network, instead of taking advantage of it. The current payment network has been tried for many decades and any error or downtime is extremely costly. In addition, it routes authorization token through client machine which will risk potential fraud from malicious user as man-in-the-middle or risk fraudulent page re-direct.
Linehan, on the other hand, discloses a method that involves “thin” consumer wallet that communicates directly with issuer via issuer gateway. The wallet provides functions such as authenticating the consumer to the issuer gateway, to timeout payment request and to retry payment request. The issuer gateway act on behalf of the issuer, is equivalent to the “store front” presence of the issuer on the open internet. This payment protocol has many advantages over the SET, such as avoid usage of consumer digital certificate, separate authentication technology between the consumer and issuing bank from the rest of the payment protocol, etc. But, requiring a consumer wallet in order to process a transaction could prove to be quite inconvenient for a consumer who wants to carry out transactions on many different machines at many different locations, such as at office, at home, or at airport, because that consumer wallet installed on consumer's machine is limited in terms of portability. In addition, the installation of the wallet client software on consumer's machine can be quite challenging to a novice consumer, especially if many issuers are involved that makes the wallet authentication mechanism overly complicated. Also, since an issuer gateway has implied direct relationship with the issuer, a consumer does not have a choice of which issuer gateway to go to, once he or she has decided which payment card he or she wants to use to pay for the order. Specifically, a consumer cannot go to an American Express Card issuer gateway because of its good service, while he or she wants to use a payment card of other issuer (BankOne Visa or MasterCard, etc.) because of a favorable interest rate. This protocol inter-connects complex relationships among issuers and acquirers, ultimately, it's like to rebuild the function that current backend banking network does, instead of taking full advantage of it. Any alteration inside the existing backend banking network will be very costly, as it cannot tolerate any error or downtime. And, as also pointed out by Linehan, this protocol routes payment messages through consumer's machine, and should implement “replay detection”, that is, to detect potential fraudulent page-redirect, which no current algorithm can do effectively.
A useful and desirable electronic payment transaction method or protocol should be user friendly, can be deployed easily and cost effectively, comply with and take advantage of existing payment infrastructure, and at the same time, provides a sound measure against fraud, which often arise from pirated payment card numbers.